The Matrix

Privacy and data security laws and regulations continue to evolve quickly, and companies processing personal data have an increasing array of issues to manage. As we enter 2024, below are five key considerations for companies managing privacy and data security risks.

In an eye-opening 4-3 decision issued on Friday, the Illinois Supreme Court ruled that a separate Biometric Information Privacy Act (“BIPA”) claim accrues “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Cothron v. White Castle System, Inc., 2023 IL 128004 ¶ 45. The decision may have staggering consequences on all pending BIPA cases, converting what might have been a single claim, into thousands of separate claims for $1,000 or $5,000 (depending on whether the violation is negligent or willful). The impact of the decision is even more severe in light of the Illinois Supreme Court’s recent decision in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, applying a five-year statute of limitations to all BIPA claims. 

The Illinois Supreme Court has issued its highly anticipated ruling in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, which expands the statute of limitations period for certain claims under the Biometric Information Privacy Act (BIPA) from one year to five years. The Court reversed in part a previous ruling by the appellate court, which held that a one-year limitations period applied to claims under subsections 15(c) and (d) of BIPA, prohibiting the sale and unauthorized disclosure of biometric data, and affirmed the appellate court’s judgment that a five-year period applied to other claims under BIPA.

On October 12, 2022, a jury returned a verdict against the defendant, BNSF Railway Company (“BNSF”), in the first trial in a class action asserting claims under the Illinois Biometric Information Privacy Act (“BIPA”). Shortly thereafter, the Court entered a staggering judgment against BNSF in the amount of $228 million. To the extent that companies operating in Illinois have not already recognized the significant impact of BIPA, they should be paying attention now. While the case seemingly addressed a number of issues that companies have been grappling with in considering the implications of this law, many important questions about BIPA’s reach still persist.

This is a follow-up to the June 23, 2021 Litigation Trends Analysis Alert, “How the IWCA Impacts BIPA Claims.” As noted there, the question before the Supreme Court of Illinois in McDonald was whether claims of injury under the Illinois Biometric Information Privacy Act (BIPA) fall under the scope of the Illinois Workers’ Compensation Act (IWCA). The Court ruled last month that the BIPA is not preempted by the IWCA.

The Illinois Biometric Information Privacy Act (BIPA) is a law concerning the protection of biometric data. The BIPA requires companies collecting biometric information to establish a policy and obtain a written release from its employees prior to collecting and using this information. The BIPA is the only statute of its kind with a private right of action. Under the BIPA, individuals may sue for violations and recover monetary damages. 

New York And Maryland Propose BIPA-Like Biometric Privacy Bills
New York Assembly Bill 27—introduced on January 6, 2021—seeks to amend the New York general business law in relation to biometric privacy.  Similarly, Maryland House Bill 218—introduced on January 13, 2021—proposes biometric privacy regulations on private entities in Maryland.

The Illinois Biometric Information Privacy Act (BIPA) is the only biometric privacy statute in the country with a private right of action. In the last two years, litigation under BIPA has dominated privacy law headlines. There are hundreds of BIPA class action lawsuits pending in Illinois state and federal courts, with new filings each week.

Last month, the Seventh Circuit issued a highly anticipated ruling concerning Article III standing for claims brought under the Illinois Biometric Information Privacy Act (BIPA).

New York’s Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”) took effect on March 21, 2020.  The Act expands existing state breach notification requirements and imposes specific data security protections for covered businesses that own or license the private information of New York residents, regardless of whether those businesses are based in New York. The Act also broadens the definition of “private information” to include new types and combinations of data.

On March 31, 2020, Washington Senate Bill No. 6280 (the “Act”) became law, codifying one of the most detailed facial recognition regulations in the country. The Act regulates state and local government agencies in Washington using or intending to develop, procure, or use a facial recognition service but also includes important considerations for companies designing this technology.